As the United States' technology infrastructure ages, and Internet
connectivity becomes ubiquitous, America's largest companies -- and
government agencies -- are under fire from cyber attackers around the
world.

But this isn't like conventional warfare: the days
of nation-versus-nation are over. In the Digital Era, espionage is a
shadowy game of rapidly changing affiliations where the attacks are
swift, anonymous and devastating. So how can the U.S. stay ahead?

Experts gathered here at Bloomberg's 2012
Cybersecurity Conference to discuss exactly that. Northrup Grumman's
Christopher Valentino, Raytheon's Jeff Snyder, former U.S. Air Force
military intelligence officer Cedric Leighton and Trend Micro vice
president Tom Kellermann discussed how secure American companies really
are (not really), discussed where the threats will come from next (where
you least expect) and what can be done about it (read on!).

We are the battlefield
The first problem: warfare is no longer relegated to soldiers on a distant
battlefield. In the age of connectivity, individuals have the potential
to become collateral damage.

"Everybody is not only vulnerable, but also on the
front line," Leighton said. "It's not a uniformed services issue, it is
everyone's issue."

And it's not entirely clear who "they" is. One thing we learned from the Sept. 11 terrorist attacks, Kellermann said, is that non-state actors can attack critical infrastructure.

Take the Stuxnet worm, for example -- its creator
certainly didn't expect it to become ammunition in bigger war, altered
to suit the intentions of other actors, he said. Integrity attacks such
as this are quite worrisome, and the worst threats are those that
manipulate data to turn the database on itself, violating the trust that
the system operator worked so hard to build with its customers,
Kellermann said.

"As soon as you use one of these weapons once,
everybody's game changes," moderator and Bloomberg News reporter Michael
Riley said.

Leighton, with a twinkle in his eye, took it a step further: "What if Joseph Goebbels, master [Nazi] propagandist, had access to the Internet? What could he manipulate?"

Imagining disaster
Take the financial sector, for example. It's the most secure of them all,
according to Kellermann, but that's because major players are dealing
with the most severe threats. It's the nature of their business.

"You can't unwind transactions," he said. "Transactions are time-stamped. Being able to manipulate time is the most dangerous thing, to me, in that sector."

And all it takes is undermining confidence in a market to shake it,
causing widespread, long-term economic effects that affect an economy's
integrity.

The financial services sector isn't the only one, either: consider the effects on the pharmaceutical industry. The chemical industry. The transportation industry.

Train cars full of explosive chemicals are traveling
across the U.S. every day. What could happen to those rail switches
when a conductor forgets to patch his laptop?

Digital warfare
Part of the challenge is its breadth, Kellermann said. According to Interpol, even
the biggest organized crime syndicates have business divisions for
cyber. When a company or country finds itself at war over the wires, can
it fight against anonymous enemies it doesn't understand?

Is 21st century warfare simply swinging blindly in the dark?

"Nation-states don't have control over non-state actors to contain behavior during
periods of conflict," Kellermann said. "Who's in control, with a lack of
attribution?"

The attacks may not be direct, either. A military's
operations can be undermined when a cyber attacker compromises a
civilian contractor.

"If game theory is turned
on its head or made irrelevant from the sheer number of actors on the
stage, then you've got a serious control problem," Leighton said.

And control is everything. Cyber attackers may not
be able to physically occupy a country, but they can influence and
change behavior -- often through fear, Leighton said. For example,
consider the differences in governing style between the U.S. and China.

"You have to look at China as, from a historical
standpoint, a country that seeks to influence [and not occupy]," he
said. "The advent of the Internet is perfect for Chinese policy."

A new point of view
With these myriad threats, how should a government or corporation react? By thinking like the enemy, panelists agreed.

"You've got to think like the enemy," Leighton said. "You've got to think like a hacker."

It starts by respecting where the Internet is headed
and how hackers will operate within that environment. Is there a way to
prioritize security so that you let cyber burglars break into the house
-- only to find themselves stuck in the damp basement with your pet
Rottweilers?

Government agencies have traditionally had difficulty doing this, Valentino said.

"They fail to identify what's really critical," he said. Like money and food and the means with which to get that to people.

You can't get rid of all vulnerabilities, Snyder
added. You have to swallow that reality and move on. "Recognize that
every perimeter is penetrable," he said. "What is the next phase?"
That's why Intel bought MacAfee -- because the future is in hosting
critical applications at the processor level.

Companies need to have a better attitude about security, Kellermann said.

"For
too long, organizations viewed security as an expense, rather than a
functionality to sustain critical infrastructure," he said. "There's a
lot of plausible deniability."

According to a recent McAfee survey, more than half
of companies experienced a breach and didn't immediately report it or
fix it because of potential impact on industry reputation.

"That's mind-boggling," Kellermann said.

Suit up
The bottom line? Companies and organizations need to bear arms against
cyber attackers -- because disaster is only a matter of time, and no
government superhero will come to the rescue when it does.

"Cyberspace is not civilized," Kellermann said. "Only you can save you from this invisible threat. Recognize and appreciate it."

Leighton put it in more colorful terms. The looming threat of a cyber attack is
less like Pearl Harbor -- the Japanese didn't occupy Hawaii; they were
never there -- and more like Singapore, he said. There, the Japanese
easily took the city-state by riding in on bicycles, through the jungle
-- all "because the guns were pointed in the wrong direction."

"Think about how vulnerable we are to the modern-day
bicycle riders through the jungle in Malaysia," Leighton said. "Only
it's the whole world."